Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVEs (9,364)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2022-41263 1Sap 1Business Objects Business Intelligence Platform Jun 17, 2026 Dec 12, 2022 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information...Show more Due to a missing authentication check, SAP Business Objects Business Intelligence Platform (Web Intelligence) - versions 420, 430, allows an authenticated non-administrator attacker to modify the data source information for a document that is otherwise restricted. On successful exploitation, the attacker can modify information causing a limited impact on the integrity of the application.Show less
CVE-2022-3999 1Dpdgroup 1Woocommerce Shipping Jun 17, 2026 Dec 12, 2022 N/A· v4 8.1 HIGH· v3 N/A· v2 The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, whic...Show more The DPD Baltic Shipping WordPress plugin before 1.2.57 does not have authorisation and CSRF in an AJAX action, which could allow any authenticated users, such as subscriber to delete arbitrary options from the blog, which could make the blog unavailable.Show less
CVE-2022-3946 1Welcart 1Welcart E Commerce Jun 17, 2026 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.
CVE-2022-3883 1Stopbadbots Project 1Stopbadbots Jun 17, 2026 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as sub...Show more The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection WordPress plugin before 7.24 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.orgShow less
CVE-2022-3882 1Wp Memory Project 1Wp Memory Jun 17, 2026 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin before 2.46 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subs...Show more The Memory Usage, Memory Limit, PHP and Server Memory Health Check and Fix Plugin WordPress plugin before 2.46 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.orgShow less
CVE-2022-3881 1Wptools Project 1Wptools Jun 17, 2026 Dec 12, 2022 N/A· v4 5.7 MEDIUM· v3 N/A· v2 The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authorisation and CSRF in an AJAX action, allowi...Show more The WP Tools Increase Maximum Limits, Repair, Server PHP Info, Javascript errors, File Permissions, Transients, Error Log WordPress plugin before 3.43 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.orgShow less
CVE-2022-3880 1Antihacker Project 1Antihacker Jun 17, 2026 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users,...Show more The Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan WordPress plugin before 4.20 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.orgShow less
CVE-2022-3879 1Car Dealer Project 1Car Dealer Jun 17, 2026 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it a...Show more The Car Dealer (Dealership) and Vehicle sales WordPress Plugin WordPress plugin before 3.05 does not have proper authorisation and CSRF in an AJAX action, allowing any authenticated users, such as subscriber to call it and install and activate arbitrary plugins from wordpress.orgShow less
CVE-2022-3853 1Supra Csv Parser Project 1Supra Csv Parser Jun 17, 2026 Dec 12, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross-site Scripting (XSS) is a client-side code injection attack. The attacker aims to execute malicious scripts in a web browser of the victim by including malicious code in a legitimate web page or web application.
CVE-2022-45980 1Tenda 1Ax12 Firmware Jun 17, 2026 Dec 12, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 Tenda AX12 V22.03.01.21_CN was discovered to contain a Cross-Site Request Forgery (CSRF) via /goform/SysToolRestoreSet .
CVE-2022-46688 1Jenkins 1Sonar Gerrit Jun 17, 2026 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators)...Show more A cross-site request forgery (CSRF) vulnerability in Jenkins Sonar Gerrit Plugin 377.v8f3808963dc5 and earlier allows attackers to have Jenkins connect to Gerrit servers (previously configured by Jenkins administrators) using attacker-specified credentials IDs obtained through another method, potentially capturing credentials stored in Jenkins.Show less
CVE-2022-41296 1Ibm 2Db2 Db2 Warehouse Jun 17, 2026 Dec 12, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 IBM Db2U 3.5, 4.0, and 4.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 237210.
CVE-2022-45228 1Dragino 1Lg01 Lora Firmware Jun 17, 2026 Dec 12, 2022 N/A· v4 3.5 LOW· v3 N/A· v2 Dragino Lora LG01 18ed40 IoT v4.3.4 was discovered to contain a Cross-Site Request Forgery in the logout page.
CVE-2022-4397 1Zend Blog 2 Project 1Zend Blog 2 Jun 17, 2026 Dec 10, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation...Show more A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 36b2d4abe20a6245e4f8df7a4b14e130b24d429d. It is recommended to apply a patch to fix this issue. VDB-215250 is the identifier assigned to this vulnerability.Show less
CVE-2022-4349 1Pwn Project 1Pwn Jun 17, 2026 Dec 8, 2022 N/A· v4 6.8 MEDIUM· v3 N/A· v2 A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attac...Show more A vulnerability classified as problematic has been found in CTF-hacker pwn. This affects an unknown part of the file delete.html. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-215109 was assigned to this vulnerability.Show less
CVE-2022-41622 1F5 12Big Ip Access Policy Manager Big Ip Advanced Firewall ManagerBig Ip Analytics+9 more Jun 17, 2026 Dec 7, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 In all versions, BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2022-44849 1Metinfo 1Metinfo Jun 17, 2026 Dec 7, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account.
CVE-2022-23475 1Daloradius 1Daloradius Jun 17, 2026 Dec 6, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to accou...Show more daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy. Show less
CVE-2022-3926 1Wp Oauth 1Wp Oauth Server Jun 17, 2026 Dec 5, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary clie...Show more The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret of an arbitrary client given they know the client IDShow less
CVE-2022-45824 1Elbtide 1Advanced Booking Calendar Jun 17, 2026 Dec 5, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress.

Previous 1...265266267...469 Next